CCPA Update: Latest Amendments and Draft Regulations
On 10 October 2019, California Attorney General Xavier Becerra released the first set of proposed regulations under the California Consumer Privacy Act (CCPA) to the public. One day later, Governor Gavin Newsom signed into law six amendments to the CCPA and a bill that updates the state’s data breach law to include mandatory data breach notifications for additional categories of data, including passport data and biometric data.
Both the draft regulations and the amendments aim to clarify CCPA requirements and offer guidance on a number of issues, including notice and privacy policies and how companies are expected to respond to consumer requests for data access and deletion.
The CCPA, considered the most comprehensive consumer-friendly privacy law in the United States, was signed into law on 28 June 2018 and is slated to come into effect on 1 January 2020. However, the attorney general can enforce it only six months after the date he promulgates the final regulations or as of 1 July 2020, whichever comes first.
Amendments to the CCPA
The six amendments to the CCPA recently signed into law by the governor bring some much-needed clarity to the scope of the CCPA. Here’s a breakdown:
- AB-1202 requires data brokers to register with the California Attorney General’s Office. The law aims to help consumers exercise their new rights under the CCPA by providing a way for them to easily identify and contact businesses that may be collecting and selling their data.
- AB-1564 requires companies to offer consumers two methods of contacting them when requesting information about the data they collect about them. One of these methods must be a toll-free number. Companies doing business exclusively online can provide only an email address.
- AB-25 delays the application of the CCPA to 1 January 2021 for business-to-business transactional communications and the collection of personal information by companies from a natural person acting as a job applicant, employee or contractor who is performing services under a written agreement.
- AB-1355 redefines personal information to exclude deidentified and aggregated consumer information. It also grants a temporary exemption from CCPA requirements for businesses engaged in certain B2B transactions until 1 January 2021.
- AB-1146 adds exemptions for certain vehicle information collected as part of a warranty or recall program.
- AB-874 clarifies how publically available information is defined under the CCPA. Information lawfully made available in federal, state or local government records will be considered publically available and excluded from the CCPA definition of personal information.
Update to Data Security Breach Reporting
At the same time that the six amendments to the CCPA were passed, an update to California’s data security breach reporting requirements, AB-1130, was also signed into law, adding several new categories of personal data to them. Organizations will now be required to notify consumers if their passport data, biometric data, taxpayer and military identification numbers, and other unique government identification numbers, have been compromised in case of a breach.
The regulations proposed by the California Attorney General’s Office both shed light on what is expected from businesses when it comes to notices and how they must answer requests from consumers concerning their data. They are split into five main categories:
- Responding to consumer requests: this section of the regulations instructs companies on how they must receive, verify, respond to and document requests for data access or deletion. The rules specify, for example, that deletion requests can be completed by permanently erasing personal information on a business’s systems or by deidentifying or aggregating the consumer’s personal information. Companies must specify in their answer to consumers how they have complied with their request.
- Rules regarding minors: clarifies the CCPA’s requirements for collecting and selling the personal information of consumers under the age of 16.
- Guidance on non-discrimination: the regulations define discriminatory incentives as those that treat consumers differently because they exercised a right under the CCPA or its regulations. However, they also create exemptions for a price or service difference that is reasonable related to the value of the consumer’s data.
- Service providers: this section seemingly contradicts the CCPA which states that service providers do not need to reply to consumer rights requests, by specifying that service providers must, in fact, provide a basis for denying requests from consumers regarding their personal information collected or maintained by the service provider on behalf of the business.
The initial reaction to the draft rules has been mixed, with many considering they reach beyond what the statute requires. The proposed regulations are currently under public review, with the California Attorney General’s Office holding four public hearings and accepting comments from the general public through 6 December. The public hearings are likely to bring changes to the final set of rules which the Attorney General’s office aims to publish in the spring of 2020.